b"September 29, 2004\nReport No. 04-042\n\n\nFDIC\xe2\x80\x99s Implementation of the\nSarbanes-Oxley Act of 2002\n\n\n\n\n            AUDIT REPORT\n\x0c                                        TABLE OF CONTENTS\n\n\n\n\nBACKGROUND .......................................................................................................................... 1\n\nRESULTS OF AUDIT ................................................................................................................. 6\n\nGUIDANCE TO FDIC-SUPERVISED FINANCIAL INSTITUTIONS ................................ 7\n\nGUIDANCE TO FDIC EXAMINERS ....................................................................................... 8\n\nCORPORATION COMMENTS AND OIG EVALUATION ................................................ 10\n\nAPPENDIX I:   OBJECTIVE, SCOPE, AND METHODOLOGY ................................... 11\nAPPENDIX II: SUMMARY OF SARBANES-OXLEY ACT PROVISIONS ................. 13\nAPPENDIX III: GUIDANCE ISSUED BY THE FDIC IMPLEMENTING\n              PROVISIONS OF THE SARBANES-OXLEY ACT .............................. 23\nAPPENDIX IV: SUMMARY OF SARBANES-OXLEY ACT RELATED\n              FINANCIAL INSTITUTION LETTERS ................................................ 25\nAPPENDIX V: CORPORATION COMMENTS ............................................................... 26\n\nTABLE\n  Performance Measures Related to Supervision and Examination ................................... 12\n\x0c\x0cthe public accounting industry. The Act applies to all companies with publicly traded securities.3\nThe Act\xe2\x80\x99s stated purpose is to improve quality and transparency in financial reporting and\nindependent audits and accounting services for public companies, create a Public Company\nAccounting Oversight Board (PCAOB), enhance the standard-setting process for auditing\npractices, strengthen the independence of firms that audit public companies, increase corporate\nresponsibility and the usefulness of corporate financial disclosure, protect the objectivity and\nindependence of securities analysts, and improve the U.S. Securities and Exchange\nCommission\xe2\x80\x99s (SEC)4 resources and oversight. In addition, the Sarbanes-Oxley Act imposed\nnew obligations on directors, officers, accountants, auditors, and insiders. Violations of these\nobligations would be the basis for professional liability lawsuits. A summary of Sarbanes-Oxley\nAct provisions can be found in Appendix II.\n\nSecurities Exchange Act of 1934\n\nFor state-chartered financial institutions that are not members of the Federal Reserve System and\nthat have one or more classes of securities5 subject to the registration provisions of sections of\nthe Securities Exchange Act of 1934 (the Exchange Act),6 the FDIC is vested with the powers,\nfunctions, and duties of the SEC to administer and enforce various securities regulations,\nincluding:\n\n    \xe2\x80\xa2    Securities Exchange Act of 1934, sections:\n         o 10A(m), Standards Relating to Audit Committees,\n         o 12, Registration Requirements for Securities,\n         o 13, Periodical and Other Reports,\n         o 14(a), Solicitation of Proxies,\n         o 14(c), Information Statements,\n         o 14(d), Tender Offers,\n         o 14(f), Election of Directors, and\n         o 16, Beneficial Ownership and Reporting.\n\n    \xe2\x80\xa2    Sarbanes-Oxley Act of 2002, sections:\n         o 302, Corporate Responsibility for Financial Reports,\n         o 303, Improper Influence on Conduct of Audits,\n         o 304, Forfeiture of Certain Bonuses and Profits,\n         o 306, Insider Trades During Pension Fund Blackout Periods,\n         o 401(b), Disclosures in Periodic Reports,\n\n3\n  A publicly traded company generally has assets exceeding $1 million and a class of equity securities held by 500 or\nmore persons.\n4\n  The SEC is a government commission created by the Congress to regulate the securities markets and protect investors.\nThe statutes administered by the SEC are designed to promote full public disclosure and protect the investing public\nagainst fraudulent and manipulative practices in the securities markets. Generally, most issues of securities offered in\ninterstate commerce, either through the mail or on the Internet, must be registered with the SEC.\n5\n  A class is a group of securities with similar features such as voting rights and dividend payments.\n6\n  The Exchange Act identifies and prohibits certain types of conduct in the markets and provides the SEC with\ndisciplinary powers over regulated entities and persons associated with them. The Act also empowers the SEC to require\nperiodic reporting of information by companies with publicly traded securities, and requires companies to file proxy\nmaterials with the SEC to ensure compliance with disclosure rules.\n\n\n                                                           2\n\x0c       o 404, Management Assessment of Internal Controls,\n       o 406, Code of Ethics for Senior Financial Officers, and\n       o 407, Disclosure of Audit Committee Financial Expert.\n\nThe Exchange Act further prescribes that the FDIC has the power to make rules and regulations\nnecessary to execute the functions with which it is vested.\n\nFDIC Rules and Regulations Part 335 \xe2\x80\x93 Securities of Nonmember Insured Banks\n\nThe FDIC\xe2\x80\x99s Rules and Regulations, Part 335, Securities of Nonmember Insured Banks,\nincorporates, through reference, the SEC regulations issued under the Exchange Act sections\nlisted above, except where the FDIC has found that these regulations are not necessary or\nappropriate. Therefore, after the SEC issues implementing regulations, they are automatically\nincorporated, by reference, into Part 335. The FDIC reviews the SEC\xe2\x80\x99s implementing\nregulations to determine whether any are not necessary or appropriate and, if so, issues\nregulations excluding those requirements from Part 335. The FDIC also issues guidance to its\nregistered banks about the changes applicable to them.\n\nDSC\xe2\x80\x99s Accounting and Securities Disclosure Section is principally responsible for administering\nPart 335. This Section also maintains public files for periodic reports made under the Securities\nExchange Act of 1934 by FDIC-supervised financial institutions that have registered securities,\nincluding: Registration Statements (Forms 10 and 10-SB), Annual Reports (Forms 10-K and\n10-KSB), Quarterly Reports (Forms 10-Q and 10-QSB), Proxy Statements, Current Reports\n(Form 8-K), Beneficial Ownership Reports (Forms F-7, F-8 and F-8A), and Acquisition\nStatements (Schedules 13D and 13G).\n\nThe Section is also responsible for administering the use of offering circulars in connection with\nthe public distribution of bank securities by insured state nonmember banks. The issuance of\nsecurities by banks is subject to the antifraud provisions of the federal securities laws which\nrequire full and adequate disclosure of material facts. In view of the FDIC's statutory duty to\ndetermine capital adequacy when acting on an application for federal deposit insurance, the\nFDIC determines whether public investors have been provided sufficient disclosure of material\nfacts by an insured state nonmember bank. The FDIC also reviews any offering circular issued\nby a bank operating under an administrative order, or used in a mutual-to-stock conversion as\npart of the application process.\n\nThe Accounting and Securities Disclosure Section also maintains and monitors interagency files\nfor Peer Reviews of public accounting firms filed under Part 363 of the FDIC\xe2\x80\x99s Rules and\nRegulations and performs reviews of disclosures to bank shareholders of regulatory enforcement\nactions against FDIC-insured banks. These disclosures of enforcement actions principally\ninvolve FDIC Cease and Desist Orders. In addition, DSC\xe2\x80\x99s Accounting and Securities\nDisclosure Section writes guidance related to matters of accounting, securities, and disclosure.\n\n\n\n\n                                                3\n\x0cFDIC Rules and Regulations Part 363 \xe2\x80\x93 Annual Independent Audits and Reporting\nRequirements\n\nSection 112 of the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA),\nIndependent Annual Audits of Insured Depository Institutions, amended the Federal Deposit\nInsurance (FDI) Act by adding section 36,7 Early Identification of Needed Improvements in\nFinancial Management. Section 36 of the FDI Act, codified to 12 United States Code (U.S.C.)\n1831m and implemented by FDIC regulation 12 Code of Federal Regulations (C.F.R.), Part 363,\nrequires every large (total assets of $500 million or more) insured depository institution to\nsubmit an annual report containing the institution\xe2\x80\x99s financial statements and certain management\nassessments to the FDIC, the appropriate federal banking agency, and any appropriate state bank\nsupervisor. Section 36 of the FDI Act also requires that an independent public accountant audit\nthe insured depository institution\xe2\x80\x99s annual financial statements to determine whether those\nstatements are presented fairly in accordance with generally accepted accounting principles\n(GAAP) and with the accounting objectives, standards, and requirements described in section 37\nof the FDI Act. Under section 37, the accounting principles applicable to financial statements\nrequired to be filed with the federal banking agencies must be uniform and consistent with\nGAAP. In addition, the accountant must attest to and report on management\xe2\x80\x99s assertions\nconcerning internal controls over financial reporting. The institution\xe2\x80\x99s annual report must also\ncontain the accountant\xe2\x80\x99s audit and attestation reports. Therefore, Part 363 established auditing\nand reporting requirements for institutions with assets of $500 million or more before the\nSarbanes-Oxley Act was passed.\n\nThe auditing and reporting requirements of the FDIC\xe2\x80\x99s Part 363 are similar to certain provisions\nof the Sarbanes-Oxley Act, but the Act differs in a few significant respects. Although the SEC\xe2\x80\x99s\nfinal rules for section 404 of the Sarbanes-Oxley Act, Management Assessment of Internal\nControls, are similar to the FDIC\xe2\x80\x99s Part 363 internal control report requirements, the SEC\xe2\x80\x99s final\nrules did not require a statement of compliance with designated laws and regulations relating to\nsafety and soundness.\n\nInstead, the SEC included the following provisions related to internal control that are not in the\nFDIC\xe2\x80\x99s regulations:\n\n    \xe2\x80\xa2    The report must include a statement identifying the framework used by management to\n         evaluate the effectiveness of the company's internal control over financial reporting.8\n\n\n7\n  The statute gives the FDIC Board of Directors the discretion to establish the threshold asset size at which a section 36\nannual report is required. That amount is currently set at $500 million. A section 36 audit is not required of financial\ninstitutions with less than $500 million in total assets. However, the federal banking agencies encourage every insured\ndepository institution, regardless of its size or character, to have an annual audit of its financial statements by an\nindependent public accountant.\n8\n  The FDIC's Rules and Regulations do not specifically require that management identify the control framework used to\nevaluate the effectiveness of the institution's internal control over financial reporting. However, given the requirements\nof sections 101 and 501 of the American Institute of Certified Public Accountants' attestation standards, the FDIC\nbelieves that the framework used must be disclosed or otherwise publicly available to all users of reports that institutions\nfile with the FDIC pursuant to Part 363 of the FDIC's Rules and Regulations.\n\n\n\n                                                             4\n\x0c    \xe2\x80\xa2    Management must disclose any material weakness9 that it has identified in the company's\n         internal control over financial reporting (and related stipulation that management is not\n         permitted to conclude that the company's internal control over financial reporting is\n         effective if there are one or more material weaknesses).\n\n    \xe2\x80\xa2    The company must state that the registered public accounting firm that audited the\n         financial statements included in the annual report has issued an attestation report on\n         management's assessment of the company's internal control over financial reporting.\n\n    \xe2\x80\xa2    The company must provide the registered public accounting firm's attestation report on\n         management's assessment of internal control over financial reporting in the company's\n         annual report filed under the Exchange Act.10\n\nThe FDIC\xe2\x80\x99s Board of Directors adopted Rules and Regulations Part 363 to implement section 36\nprovisions that required rulemaking. The auditor independence requirements of the\nSarbanes-Oxley Act affect all Part 363 institutions because Guideline 14, found in Part 363\nAppendix A, Guidelines and Interpretations, provides that an auditor should \xe2\x80\x9c\xe2\x80\xa6 meet the\nindependence requirements and interpretations of the SEC and its staff.\xe2\x80\x9d Thus, requirements of\nthe Act would affect the auditors engaged by institutions covered by Part 363 (some of whom are\nnot SEC registrants) and the reports that the institutions file with the FDIC.\n\nFDIC Guidance\n\nThe FDIC distributes the majority of its guidance to bankers through Financial Institution Letters\n(FILs). FILs are addressed to the Chief Executive Officers of the financial institutions listed on\nthe FDIC\xe2\x80\x99s FILs distribution list \xe2\x80\x93 generally, FDIC-supervised institutions. The FILs generally\nannounce new regulations and policies, new FDIC publications, and a variety of other matters of\nprincipal interest to bank management. In some cases, FILs explain specific examination\nprocedures to be performed by FDIC examiners, as is the case with FIL-21-2003, Interagency\nPolicy Statement on the Internal Audit Function and Its Outsourcing, dated March 17, 2003.\n\nUnder section 10(d) of the FDI Act, all FDIC-insured institutions are required to undergo on-site\nsafety and soundness examinations by a federal regulator11 every 12 or 18 months,12 depending\n\n\n\n9\n  A material weakness is a condition where the design or operation of one or more of the internal control components\ndoes not reduce to a relatively low level the risk that misstatements caused by errors or fraud in amounts that would be\nmaterial in relation to the financial statement being audited may occur and not be detected within a timely period by\nemployees in the normal course of performing their assigned functions.\n10\n   The FDIC's Rules and Regulations do require an independent public accountant to examine, attest to, and report\nseparately on, the assertion of management concerning the institution's internal control structure and procedures for\nfinancial reporting. The Rules and Regulations do not require the accountant to be a registered public accounting firm.\n11\n   The four federal regulators are the Federal Deposit Insurance Corporation, the Board of Governors of the Federal\nReserve System (FRB), the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.\n12\n   The FDI Act requires all FDIC-insured banks to be examined on a 12-month cycle. The Act allows the examination\ncycle to be extended to 18 months for banks with assets of $250 million or less if other factors are met \xe2\x80\x93 primarily that\nthe bank is CAMELS-rated 1 or 2 (see footnote 13), well managed, and well capitalized.\n\n\n                                                             5\n\x0con asset size and CAMELS13 ratings. Safety and soundness examinations are the primary means\nto identify weaknesses that may ultimately lead to institution failure. The FDIC implements its\nauthority to perform on-site safety and soundness examinations through a series of directives in\nDSC\xe2\x80\x99s Memorandum System that are addressed to Regional Directors; manuals, such as DSC\xe2\x80\x99s\nManual of Examination Policies and Case Manager\xe2\x80\x99s Procedures Manual; and DSC\nExamination Documentation (ED) Modules that provide examination direction and are\nperiodically updated.\n\n\nRESULTS OF AUDIT\n\nThe FDIC took adequate steps to issue implementing guidance for applicable provisions of the\nSarbanes-Oxley Act. In addition, the Act did not have a major impact on FDIC-supervised\nfinancial institutions because of pre-existing audit committee and internal control reporting\nrequirements imposed by FDICIA. Further, of the 5,300 financial institutions supervised by the\nFDIC, only 94 are public companies, and 524 other FDIC-supervised institutions are subsidiaries\nof public bank holding companies \xe2\x80\x93 limiting the number of institutions directly or indirectly\nsubject to the Sarbanes-Oxley Act provisions.\n\nThe FDIC has provided adequate guidance to the FDIC-supervised financial institutions. For\npublic financial institutions and financial institutions that are subsidiaries of public bank holding\ncompanies, the FDIC guidance required compliance with the Sarbanes-Oxley Act. For\nnonpublic financial institutions, the FDIC encouraged compliance with the Sarbanes-Oxley\nAct \xe2\x80\x93 including those provisions governing auditor independence, corporate responsibility, and\nenhanced financial disclosures \xe2\x80\x93 and the implementing regulations because of their relevance to\nsound corporate governance practices.\n\nThe FDIC has also provided adequate guidance to its bank examiners by issuing revised\nexamination procedures, clarifying its position on Sarbanes-Oxley Act issues, and reemphasizing\nexpectations about governance practices that the FDIC had previously endorsed. Examiners\nwere advised to continue to encourage nonpublic banking institutions to periodically review their\npolicies and procedures relating to corporate governance, including internal controls and auditing\nmatters.\n\nHowever, it is not clear how examiners monitor compliance with Sarbanes-Oxley Act provisions\nat institutions that are subsidiaries of public bank holding companies or whether the FDIC is\nresponsible for monitoring compliance by these institutions. In addition, the Sarbanes-Oxley Act\nhas brought about differences in internal control requirements and reporting for public and\nnonpublic institutions. As a result, it is possible that institutions that pose similar risks to the\ndeposit insurance funds will receive inconsistent treatment by examiners. These issues may be\naddressed in a subsequent audit of examiner assessment of institution compliance with the\nSarbanes-Oxley Act.\n\n13\n   CAMELS (Capital, Asset quality, Management, Earnings, Liquidity, and Sensitivity to market risk) are the rating\nfactors used by federal regulators in examining the safety and soundness of FDIC-insured institutions. A rating of\n1 through 5 is given, with 1 having the least regulatory concern and 5 having the greatest concern.\n\n\n\n                                                           6\n\x0cGUIDANCE TO FDIC-SUPERVISED FINANCIAL INSTITUTIONS\n\nThe FDIC provided adequate implementation guidance to FDIC-supervised financial institutions.\nFor public financial institutions, the FDIC\xe2\x80\x99s guidance required compliance with the\nSarbanes-Oxley Act, and the FDIC encouraged nonpublic financial institutions to comply with\ncertain provisions of the Act because of its relevance to sound corporate governance practices.\nAppendix III of this report contains guidance issued to financial institutions and FDIC examiners\nregarding requirements of amendments and additions to the Exchange Act made by the\nSarbanes-Oxley Act, and new sections of the Sarbanes-Oxley Act for which the FDIC has\nenforcement authority.\n\nWith respect to the Sarbanes-Oxley Act, the bulk of the implementation guidance to financial\ninstitutions was issued in FIL-17-2003, Corporate Governance, Audits, and Reporting\nRequirements, dated March 5, 2003. FIL-17-2003 provided guidance to institutions about\nselected provisions of the Sarbanes-Oxley Act, including the actions that the FDIC encouraged\ninstitutions to take to ensure sound corporate governance. The guidance also discussed the\napplicability of the auditor independence provisions of the Act and the SEC's implementing\nregulations for institutions with $500 million or more in total assets.\n\nThere were two attachments to FIL-17-2003; each attachment provided insured institutions with\nbank policy guidance and comments on sound corporate governance practices for banks based on\nprovisions of the Sarbanes-Oxley Act. Attachment I was addressed to insured institutions with\nless than $500 million in total assets that are not public companies, and Attachment II addressed\ninsured institutions with $500 million or more in total assets. Attachment II also indicated that\nthe FDIC is considering possible amendments to Part 363 of its Rules and Regulations to extend\ncertain provisions of the Sarbanes-Oxley Act to all insured institutions with $500 million or more\nin total assets, whether or not the institutions are public companies or subsidiaries of public\ncompanies. The FDIC advised public company financial institutions to comply with applicable\nsections of the Act and encouraged nonpublic institutions to implement recommended policies\nand corporate governance practices. A summary of additional guidance to financial institutions\nrelative to certain titles and sections of the Sarbanes-Oxley Act is in Appendix IV.\n\nIn addition, on August 9, 2004, the FDIC issued a limited-distribution14 FIL regarding recent\nSEC developments and changes in filing requirements as published by the SEC and PCAOB.\nThe purpose of this FIL is to provide approximately 100 FDIC-registered banks (state\nnonmember banks with securities registered under the Exchange Act of 1934) with an overview\nof the new requirements and references to obtain further information. The limited-distribution\nFIL addresses the SEC\xe2\x80\x99s latest amendments to rules regarding implementation of section 302\n(Corporate Responsibility for Financial Reports), section 404 (Management Assessment of\nInternal Controls), section 409 (Real Time Issuer Disclosures), and section 906 (Corporate\nResponsibility for Financial Reports) of the Sarbanes-Oxley Act.\n\n14\n These letters are distributed only to FDIC-supervised financial institutions with a class of securities registered with the\nFDIC (registrants).\n\n\n\n                                                             7\n\x0cThe issuance of a FIL in the case of new legislation, law, rule, or regulation involves a\ncollaborative effort between FDIC divisions. In the case of the Sarbanes-Oxley Act,\nimplementing guidance to affected institutions involved the FDIC\xe2\x80\x99s OLA,15 the Legal Division\xe2\x80\x99s\nSupervision and Legislation Section,16 and the DSC\xe2\x80\x99s Accounting and Securities Disclosure\nSection. OLA kept the Legal Division\xe2\x80\x99s Supervision and Legislation Section and DSC\xe2\x80\x99s\nAccounting and Securities Disclosure Section informed by providing early draft versions of the\nlaw. The Supervision and Legislation Section provided legal analysis to the OLA and DSC\xe2\x80\x99s\nAccounting and Securities Disclosure Section of the provisions of the new law as it evolved,\nincluding actions required by the FDIC to implement provisions of the new law. DSC\xe2\x80\x99s\nAccounting and Securities Disclosure Section authored the implementing FILs and related\nexamination guidance. The Supervision and Legislation Section also reviewed FILs and\nRegional Director (RD) Memoranda associated with implementation of the Sarbanes-Oxley Act\nbefore the guidance was issued.\n\nIn our opinion, the collaborative effort between DSC\xe2\x80\x99s Accounting and Securities Disclosure\nSection, OLA and the Legal Division resulted in the Corporation providing adequate\nimplementing guidance to affected FDIC-supervised financial institutions. For public financial\ninstitutions, the FDIC\xe2\x80\x99s guidance was clear about required compliance with the Sarbanes-Oxley\nAct, and for nonpublic financial institutions, the FDIC encouraged compliance with certain\nprovisions of the Act because of the Act\xe2\x80\x99s relevance to sound corporate governance practices.\n\nGUIDANCE TO FDIC EXAMINERS\n\nThe FDIC also provided adequate guidance to its bank examiners by revising its examination\nprocedures, clarifying its position on Sarbanes-Oxley Act issues, and reemphasizing expectations\nabout governance practices that the FDIC has endorsed. This guidance is listed in Appendix III.\nHowever, as discussed at the end of this section, we are concerned (1) about the ambiguity\nsurrounding responsibility for monitoring compliance with the Act by subsidiaries of public\ncompanies and (2) that examiners may treat similar public and nonpublic entities differently\nbecause the Act applies only to public entities.\n\nDSC\xe2\x80\x99s Planning and Development Section communicated guidance to FDIC bank examiners\nregarding applicable sections of the Act primarily through issuance of RD Memoranda. In\naddition to RD Memoranda, DSC communicated developments concerning the implementation\nof the Sarbanes-Oxley Act through seminars and other forums. Sarbanes-Oxley Act\ndevelopments were also communicated and discussed through presentations at DSC regional\nconferences regarding the effects of the Act on the banking industry; contacts between DSC\xe2\x80\x99s\n\n15\n   OLA was established to act as a central contact point for congressional members and their staff who have inquiries\nrelating to the work of the FDIC. OLA monitors new legislation affecting the banking industry as it makes its way\nthrough the legislative process and coordinates with affected FDIC divisions.\n16\n   The Supervision and Legislation Section develops, drafts, and provides legal opinions to the Corporation on\nlegislation, regulations, and policy statements that govern the activities, operations, and structures of operating insured\ndepository institutions. The Section also provides guidance on deposit insurance coverage and assessments of member\ninstitutions, federal securities laws, and consumer laws. Furthermore, the Supervision and Legislation Section is\nresponsible for the Corporation's compliance with laws and regulations governing rulemaking and information-collection\npractices.\n\n\n                                                            8\n\x0cAccounting and Securities Disclosure Section, Regional Accountants, and DSC field accounting\nsubject matter experts; field examiner contacts with their respective DSC accounting subject\nmatter expert; and participation by DSC regional accountants and field examiner subject matter\nexperts in the annual accounting seminars sponsored by the FDIC, the FRB, the Office of the\nComptroller of the Currency (OCC), the Office of Thrift Supervision (OTS), and the National\nCredit Union Administration (NCUA).\n\nDSC issued two RD Memoranda that communicated examination guidance with respect to the\nSarbanes-Oxley Act. Memorandum 2003-027, Corporate Governance, Audits, and Reporting\nRequirements, dated July 9, 2003, provides guidance to examiners on the impact of the Act on\ninsured depository institutions. RD Memorandum 2004-021, Revised Examination Modules,\ndated May 14, 2004, provides updated risk-focused ED Modules. This RD Memorandum\nincluded the module, Management and Internal Controls Evaluation, which incorporates\nchanges relative to corporate governance, auditing, and reporting guidance as prescribed by the\nSarbanes-Oxley Act.\n\nIn RD Memorandum 2003-027, the DSC transmitted general guidance to its examiners regarding\nthe Sarbanes-Oxley Act, along with a copy of FIL-17-2003. The FDIC advised its examiners\nthat the Sarbanes-Oxley Act imposed new auditor independence, reporting, and corporate\ngovernance requirements on all publicly traded companies, including insured depository\ninstitutions and bank holding companies. The FDIC also stated that certain provisions of the\nSarbanes-Oxley Act would also affect insured institutions subject to section 36 of the FDI Act.17\n\nThe FDIC explained in the RD Memorandum that FIL-17-2003 was issued to provide\ncomprehensive guidance on the sound corporate governance practices set forth in the\nSarbanes-Oxley Act, including how such practices may benefit all banking organizations,\nincluding nonpublic insured depository institutions. The FDIC also noted that after the issuance\nof FIL-17-2003, the FRB, OCC, and OTS issued guidance on this subject that differed in\nlanguage \xe2\x80\x93 but not in substance \xe2\x80\x93 from FIL-17-2003. The FDIC stated that, based on confusion\nexpressed by bankers and concern over enforcement of perceived different standards, the\nCorporation issued RD Memorandum 2003-027 to clarify the FDIC\xe2\x80\x99s position on the matter.\n\nThe FDIC also instructed its examiners that FIL-17-2003 did not establish any new mandates for\nnonpublic institutions with total assets of less than $500 million. The FDIC expected that these\ninstitutions would continue to follow the sound corporate governance practices that the FDIC has\nlong endorsed \xe2\x80\x93 practices based on existing banking laws, regulations, and guidelines.18\nExaminers were advised to continue to encourage nonpublic banking institutions to periodically\nreview their policies and procedures relating to corporate governance and auditing matters. Such\nreviews would ensure that policies and procedures were consistent with applicable laws,\nregulations, and supervisory guidance and appropriate to the institution\xe2\x80\x99s size, operations, and\n\n\n17\n   Banks with less than $500 million in total assets are not subject to the annual audit and reporting requirements of\nsection 36 of the FDI Act.\n18\n   Guidelines include the Interagency Policy Statement on External Programs of Banks and Savings Associations\n(September 1999) and the Interagency Policy Statement on the Internal Audit Function and its Outsourcing (revised\nMarch 2003).\n\n\n                                                          9\n\x0cresources. Examiners were also advised to exercise sound judgment and good common sense\nwhen evaluating management\xe2\x80\x99s decisions.\n\nRD Memorandum 2004-021 transmitted to examiners an update of the risk-focused supervision\nED Module, Management and Internal Control Evaluation. The updated ED Module contained\nseveral revisions designed to address corporate governance guidance, audit, and other\nindependent review issues; business continuity planning; and conflicts of interest. The DSC\nmade substantive changes to the Core Analysis sections of the Management and Internal\nControls Evaluation ED Module related to the requirements found in Title II, Auditor\nIndependence, and Title III, Corporate Responsibility, of the Sarbanes-Oxley Act. These\nrevisions captured the essence of the new requirements found in titles and sections of the\nSarbanes-Oxley Act.\n\nIn our opinion, the DSC\xe2\x80\x99s RD Memorandum guidance and other communication efforts on\nSarbanes-Oxley Act developments to its bank examiners was adequate.\n\nMonitoring Compliance of Public Company Subsidiaries and Examiner Treatment of\nPublic vs. Nonpublic Entities\n\nAlthough we are not making any recommendations, we are concerned about the treatment of\nsubsidiaries of public companies and that examiners may treat similar public and nonpublic\nentities differently. It is not clear whether or how examiners should monitor compliance with\nSarbanes-Oxley Act provisions at FDIC-supervised financial institutions that are subsidiaries of\npublic bank holding companies. We understand that the FRB is responsible for inspecting bank\nholding companies subject to the Bank Holding Company Act of 1956, as amended, and would\nbe responsible for monitoring compliance with the Sarbanes-Oxley Act at the holding company\nlevel. However, the FDIC\xe2\x80\x99s guidance did not clearly identify who would be responsible for\nmonitoring such compliance at the subsidiary level or at bank holding companies that are not\nsupervised by the FRB. In addition, the Sarbanes-Oxley Act has brought about differences in\ninternal control requirements and reporting for public and nonpublic institutions. As a result, it\nis possible that institutions that pose similar risks to the deposit insurance funds will receive\ninconsistent treatment by examiners. These issues may be addressed in a subsequent audit of\nexaminer assessment of institution compliance with the Sarbanes-Oxley Act.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nAlthough the report did not contain recommendations, the Director, DSC, provided a written\nresponse to the draft report on September 22, 2004. The response is presented, in its entirety, in\nAppendix V of this report. DSC concurred with the OIG\xe2\x80\x99s observation that the Sarbanes-Oxley\nAct did not have a major impact on FDIC-supervised financial institutions because of pre-\nexisting audit committee and internal control reporting requirements imposed by FDICIA.\n\n\n\n\n                                                10\n\x0c                                                                                   APPENDIX I\n\n\n                      OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine whether the FDIC has taken adequate steps to issue\nimplementing guidance to financial institutions and examiners for applicable provisions of the\nSarbanes-Oxley Act of 2002. To accomplish our objective, we reviewed the actions taken by the\nFDIC, primarily within the DSC, with assistance from the FDIC\xe2\x80\x99s Legal Division and the OLA,\nto implement guidance for financial institutions and examiners regarding applicable provisions\nof the Sarbanes-Oxley Act. In addition, we reviewed RD Memoranda, FILs, and operating\nmanuals and policies. The audit field work was performed at the FDIC\xe2\x80\x99s Washington, D.C.\noffices. We performed our audit from June 2004 through August 2004 and in accordance with\ngenerally accepted government auditing standards. Accomplishing the audit objectives is\ndiscussed in the following sections.\n\nReliance on Computer-Processed Data\n\nComputer-processed data were not significant to the accomplishment of our audit objectives,\nfindings, or conclusions. Therefore, we did not perform tests to determine the reliability or\nvalidity of data.\n\nManagement Controls\n\nWe gained an understanding of relevant control activities by reviewing the FDIC\xe2\x80\x99s policies and\nprocedures applicable to issuance of guidance to FDIC-supervised financial institutions and\nFDIC examiners. These policies and procedures are contained in the FDIC\xe2\x80\x99s Manual of\nExamination Policies, Case Manager Procedures Manual, ED Modules, RD Memoranda, and\nFILs. Our review of the management controls for the implementation of the Sarbanes-Oxley Act\nof 2002 did not identify control weaknesses.\n\nPrior Audit Coverage\n\nThis issue area has not previously been audited.\n\nLaws and Regulations\n\nWe gained an understanding of certain aspects of laws and regulations and evaluated the FDIC\xe2\x80\x99s\nimplementation of procedures applicable to implementation of the Sarbanes-Oxley Act of 2002.\nThese included the following:\n\n\xe2\x80\xa2   Laws\n    o Sarbanes-Oxley Act of 2002\n    o Securities Exchange Act of 1934\n    o Federal Deposit Insurance Act\n    o Bank Holding Company Act of 1956\n\n\n\n\n                                               11\n\x0c                                                                                      APPENDIX I\n\n\n\xe2\x80\xa2   FDIC Regulations\n    Title 12 C.F.R., Banks and Banking\n    o Part 335, Securities of Nonmember Insured Banks, which also incorporates, through\n        reference, the regulations of the SEC issued under certain sections of the Exchange Act\n    o Part 363, Annual Independent Audits and Reporting Requirements\n\nGovernment Performance and Results Act\n\nWe reviewed DSC\xe2\x80\x99s performance measures under the Government Performance and Results Act\n(GPRA), Public Law 103-62. We determined that the FDIC did not have a corporate\nperformance objective specifically related to financial institution compliance with the\nSarbanes-Oxley Act of 2002. However, according to the FDIC\xe2\x80\x99s 2004 Annual Performance\nPlan, as shown in the following table, the FDIC established a strategic goal, objective, and\nannual performance goal that include assessing each institution\xe2\x80\x99s management practices and\npolicies and compliance with applicable regulations, as part of the FDIC\xe2\x80\x99s overall assessment of\nrisk management and safety and soundness. Compliance with provisions of the Sarbanes-Oxley\nAct will be reviewed in a subsequent audit.\n\nPerformance Measures Related to Supervision and Examination\n Strategic     Strategic              Annual\n   Goal        Objective       Performance Goal                  Operational Processes\n                            Conduct on-site safety      Risk management examinations assess\n                            and soundness               an FDIC-supervised insured\n                            examinations to assess an depository institution\xe2\x80\x99s overall\nFDIC-        FDIC-\n                            FDIC-supervised insured financial condition, management\nsupervised supervised\n                            depository institution\xe2\x80\x99s    practices and policies, and compliance\ninstitutions institutions\n                            overall financial           with applicable regulations. The FDIC\nare safe     appropriately\n                            condition, management       projected that in 2004 it will conduct\nand sound. manage risk.\n                            practices and policies, and 2,561 examinations required under\n                            compliance with             statute, FDIC policy, or agreement\n                            applicable regulations.     with state supervisors.\nSource: Federal Deposit Insurance Corporation 2004 Annual Performance Plan.\n\nFraud and Illegal Acts\n\nThe limited nature of the audit objective did not require that we assess the possibility for fraud\nand illegal acts. However, throughout the audit we were alert to the possibility of fraud and\nillegal acts, and no instances came to our attention.\n\n\n\n\n                                                 12\n\x0c                                                                                              APPENDIX II\n\n\n                  SUMMARY OF SARBANES-OXLEY ACT PROVISIONS\n                                                                                                     Respon-\nSection          Title                          Requirements of the Act                              sibility\n          Short title and table   The Act may be cited as the \xe2\x80\x9cSarbanes-Oxley Act of\n  1                                                                                             --\n          of contents             2002.\xe2\x80\x9d\n  2       Definitions             Defines the Act\xe2\x80\x99s operative terms.                            --\n                                  Requires the SEC to issue rules and regulations\n          Commission rules        necessary to implement and enforce the Act. A violation\n  3                                                                                             SEC\n          and enforcement         could subject a person to the same penalties as a\n                                  violation under the Securities Exchange Act of 1934.\n\n                     Title I \xe2\x80\x93 Public Company Accounting Oversight Board\n                                  Establishes the PCAOB as an independent, non-\n                                  governmental board to oversee audits of public\n                                  companies that are subject to the securities laws to\n          Establishment and\n 101                              protect the interests of investor and public interests\n          administrative                                                                        SEC\n                                  through the preparation of informative, accurate, and\n          provisions\n                                  independent financial reports. Defines the PCAOB\xe2\x80\x99s\n                                  duties, membership and appointments, powers, rules, and\n                                  reports.\n                                  Requires public accounting firms to register with and\n 102      Registration with                                                                     External\n                                  provide information to the PCAOB in order to perform\n          the board                                                                             Auditor\n                                  audits of public companies.\n          Auditing, quality       The PCAOB must establish standards for auditing and\n 103      control, and            related attestations, quality control, ethics, and\n                                                                                                PCAOB\n          independence            independence to be used by registered public accounting\n          standards and rules     firms in the preparation and issuance of audit reports.\n          Inspections of          Requires the PCAOB to conduct a continuing program\n 104\n          registered public       of inspections to assess the degree of compliance of each     PCAOB\n          accounting firms        registered public accounting firm with the Act.\n                                  Requires the PCAOB to establish rules and procedures to\n          Investigations and      investigate and discipline registered public accounting\n 105      disciplinary            firms. The PCAOB is given broad investigatory                 PCAOB\n          proceedings             authority regarding acts or omissions by a registered\n                                  public accounting firm or associated person.\n                                  Extends the requirements of the Act to foreign public\n          Foreign public                                                                        External\n 106                              accounting firms that prepare or assist in preparing an\n          accounting firms                                                                      Auditor\n                                  audit report for an issuer.\n          Commission\n                                  The SEC has oversight and enforcement authority over\n 107      oversight of the                                                                      SEC\n                                  the PCAOB.\n          board\n                                  The SEC may recognize as \xe2\x80\x9cgenerally accepted\xe2\x80\x9d any\n                                  accounting principles established by a standard setting\n          Accounting\n 108                              body that meets criteria set forth in the Act. (For           SEC\n          standards\n                                  example, the Financial Accounting Standards Board\n                                  would satisfy these criteria.)\n                                  Provides funding for the PCAOB from annual\n 109      Funding                 accounting reporting fees, investigation fees, and issuer     PCAOB\n                                  fees.\n\n\n\n                                                    13\n\x0c                                                                                          APPENDIX II\n\n\n                               Title II \xe2\x80\x93 Auditor Independence\n                              External auditors cannot provide specific non-audit\n                              services to an audit client, including: (1) bookkeeping;\n                              (2) financial information system design and\n                              implementation; (3) appraisal or valuation services;\n      Services outside the\n                              (4) actuarial services; (5) internal audit; (6) management    External\n201   scope of practice of\n                              or human resource services; (7) broker-dealer,                Auditor\n      auditors\n                              investment adviser, or investment banking services;\n                              (8) legal and expert services unrelated to the audit; and\n                              (9) any other service that the PCAOB determines\n                              impermissible.\n                                                                                            Public\n                              Audit committees must preapprove and periodic reports         Company\n      Preapproval\n202                           must disclose all audit services and permissible non-         and its\n      requirements\n                              audit services provided by the issuer\xe2\x80\x99s external auditor.     Audit\n                                                                                            Committee\n                              Requires lead and review partners to be rotated after 5\n      Audit partner                                                                         External\n203                           years and other partners who were part of the audit team\n      rotation                                                                              Auditor\n                              to be rotated after 7 years.\n                                                                                            External\n                              External auditors are required to report to audit\n                                                                                            Auditor,\n                              committees all critical accounting policies and practices,\n      Auditor report to                                                                     Public\n204                           all alternative accounting and disclosure treatments\n      audit committees                                                                      Company,\n                              discussed with management, and other material written\n                                                                                            and Audit\n                              communications with the management of the issuer.\n                                                                                            Committee\n      Conforming              Conforms definitions of certain terms used in the Act to\n205                                                                                         --\n      amendments              the definitions in related securities laws.\n                              A registered public accounting firm cannot perform audit\n                                                                                            Public\n                              services for an issuer if a chief executive officer,\n                                                                                            Company\n                              controller, chief financial officer, chief accounting\n206   Conflicts of interest                                                                 and\n                              officer, or equivalent officer was employed by the\n                                                                                            External\n                              auditing firm during the 1-year period preceding the\n                                                                                            Auditor\n                              initiation of the audit service.\n                              The Government Accountability Office (GAO) is\n      Study of mandatory\n                              required to conduct a study and review of the potential\n      rotation of\n207                           effects of requiring mandatory rotation of registered         GAO\n      registered public\n                              public accounting firms and report its findings to the\n      accounting firms\n                              Congress.\n                              SEC is required to issue implementing regulations for\n                              auditor independence, making it unlawful for any\n                              registered public accounting firm to prepare or issue any\n      Commission\n208                           audit report if the firm has engaged in prohibited activity   SEC\n      authority\n                              as defined by subsections (g) through (l) of section 10A\n                              of the 1934 Exchange Act, or rule or regulation of the\n                              SEC or PCAOB.\n\n\n\n\n                                                14\n\x0c                                                                                       APPENDIX II\n\n                           It is the sense of the Congress that, in supervising non-\n      Considerations by    registered public accounting firms and associated\n      appropriate state    persons, appropriate state regulatory authorities should\n209                                                                                       --\n      regulatory           make an independent determination of the proper\n      authorities          standards applicable, taking into consideration the size\n                           and nature of the firms\xe2\x80\x99 business.\n\n                           Title III \xe2\x80\x93 Corporate Responsibility\n                           Requires the SEC to direct the national securities\n                           exchanges and associations to prohibit the listing of any\n                           security of an issuer that is not in compliance with           SEC\n                           certain requirements.\n\n                           The section also prescribes requirements for\n      Public company       \xe2\x80\xa2 independence of audit committee members,\n301\n      audit committees     \xe2\x80\xa2 the audit committee's responsibility to select and\n                                                                                          Audit\n                              oversee the independent auditor,\n                                                                                          Committee\n                           \xe2\x80\xa2 complaint procedures regarding accounting practices,\n                           \xe2\x80\xa2 authority of the audit committee to engage advisors,\n                              and\n                           \xe2\x80\xa2 funding for the independent auditor and any outside\n                              advisors engaged by the audit committee.\n                           An issuer\xe2\x80\x99s chief executive officer (CEO) and chief\n                           financial officer (CFO) must certify that\n                           \xe2\x80\xa2 they have reviewed annual and quarterly reports;\n                              o the reports do not contain any untrue statement of\n                                 material fact or have not omitted a material fact in\n                                 light of the circumstances; and\n                              o the financial statements fairly present in all\n                                 material respects the financial condition and\n                                 operations of the issuer;\n                           \xe2\x80\xa2 they are responsible for the issuer\xe2\x80\x99s internal controls\n                              and have evaluated them and presented in the report\n                              their conclusions about the effectiveness of the\n                              controls;\n      Corporate\n                           \xe2\x80\xa2 they have disclosed to the auditors and audit                Public\n302   responsibility for\n                              committee                                                   Company\n      financial reports\n                              o all deficiencies and material weaknesses in internal\n                                 controls;\n                              o any fraud, whether material or not, involving\n                                 management or others who have a significant role\n                                 in internal controls; and\n                           \xe2\x80\xa2 they have identified significant changes in internal\n                              controls or other factors that could significantly affect\n                              internal controls, including any corrective actions with\n                              regard to significant deficiencies and material\n                              weaknesses.\n\n                           (Section 906 also requires a certification and imposes\n                           criminal penalties for violations.)\n\n\n\n                                              15\n\x0c                                                                                      APPENDIX II\n\n                            It is unlawful for any officer or director of an issuer, or\n                            any person acting under the direction thereof, to take any     Public\n      Improper influence action to fraudulently influence, coerce, manipulate, or          Company\n303   on conduct of         mislead any independent public or certified accountant         and\n      audits                engaged in the performance of an audit of the financial        External\n                            statements for the purpose of rendering them materially        Auditor\n                            misleading.\n                            If, as a result of misconduct, an issuer is required to\n                            restate its financial statements due to a material non-\n                            compliance with any financial reporting requirement,\n                            then the CEO and CFO are required to reimburse the             Public\n      Forfeiture of certain\n304                         issuer for any bonus or other incentive-based or equity-       Company\n      bonuses and profits\n                            based compensation received and any profits realized           and SEC\n                            from the sale of the issuer's securities during the 12\n                            months following the filing of the financial statements\n                            embodying the noncompliance.\n                            An officer or director can be barred from serving as a\n                            corporate officer if found to be unfit for that office, and\n      Officer and director\n305                         may be forced to disgorge benefits from any misconduct.        SEC\n      bars and penalties\n                            The SEC has the authority to grant equitable relief to\n                            investors if appropriate.\n                            During a blackout period, officers and directors cannot\n                            trade company securities acquired in connection with\n      Insider trades\n                            their service as a director or officer. Any profits realized\n      during pension                                                                       Public\n306                         would inure to and be recoverable by the issuer. The\n      fund blackout                                                                        Company\n                            section also sets requirements concerning duties of\n      periods\n                            retirement plan administrators, notices to employees\n                            concerning blackout periods, and penalties for violations.\n                            Mandates that the SEC issue rules prescribing minimum\n                            standards of professional conduct for attorneys appearing\n                            and practicing before it in any way in the representation\n      Rules of              of issuers, including, at a minimum, a rule requiring an\n                                                                                           Public\n      professional          attorney to report evidence of a material violation of\n307                                                                                        Company\xe2\x80\x99s\n      responsibility for    securities laws or breach of fiduciary duty or similar\n                                                                                           Counsel\n      attorneys             violation by the issuer or any agent thereof to appropriate\n                            officers within the issuer and, thereafter, to the highest\n                            authority within the issuer, if the initial report does not\n                            result in an appropriate response.\n                            The SEC is authorized to set aside recoveries under the\n                            Securities Exchange Act for the victims of securities\n                            laws violations and may accept and administer donations\n      Fair funds for\n308                         to a disgorgement fund. The SEC is also to study and           SEC\n      investors\n                            report to Congress its enforcement actions over the last\n                            5 years to identify ways to provide for restitution for\n                            injured investors.\n\n\n\n\n                                               16\n\x0c                                                                                       APPENDIX II\n\n\n                          Title IV \xe2\x80\x93 Enhanced Financial Disclosures\n                              Financial reports filed with the SEC are to reflect\n                              material correcting adjustments identified by a registered\n                              public accounting firm. The reports must also disclose\n                              all material off-balance sheet transactions and\n                              relationships that may have a material current or future     Public\n                              effect on financial condition, changes in financial          Company\n                              condition, results of operations, liquidity, capital\n                              expenditures, capital resources, or significant\n                              components of revenues or expenses.\n\n                              In addition, the SEC is to issue implementing regulations\n      Disclosures in          providing that pro forma financial information included\n401\n      periodic reports        in any periodic report shall be presented in a manner that\n                              is not misleading in light of the circumstances under\n                                                                                           SEC\n                              which it is presented and shall reconcile the financial\n                              report with the financial condition of the issuer under\n                              GAAP.\n\n                              The SEC is also to study and report to Congress with\n                              recommendations on issuer filings and disclosures to\n                              determine the extent of off-balance sheet transactions       SEC\n                              and the use of special-purpose entities and whether\n                              GAAP rules result in financial statements that reflect the\n                              economics to investors.\n                              Issuers are prohibited from extending credit in the form\n                              of a personal loan to any director or executive officer.\n                              Home improvement loans are permitted if made in the\n      Enhanced conflict       ordinary course of the consumer credit business of the\n                                                                                           Public\n402   of interest             issuer, are generally available to the public, and made on\n                                                                                           Company\n      provisions              market terms. This provision does not apply to any loan\n                              from an insured depository institution if the loan is\n                              subject to the insider lending restrictions under section\n                              22(h) of the Federal Reserve Act.\n      Disclosures of          Changes shareholding and transaction reporting\n      transactions            requirements for directors, officers and principal (i.e.,\n      involving               greater than 10-percent ownership) stockholders from         Public\n403\n      management and          10 days following the end of the month to 2 business         Company\n      principal               days following the transaction. Also requires electronic\n      stockholders            disclosure.\n                              The SEC is to issue rules requiring annual reports to        SEC,\n      Management              contain an internal control report containing the items      Public\n404   assessment of           listed in this section. The public accounting firm           Company,\n      internal controls       preparing the report is to separately attest to              and External\n                              management\xe2\x80\x99s assessment.                                     Auditor\n                              Sections 401, 402, and 404 and applicable implementing\n405   Exemption               rules do not apply to any investment company registered      --\n                              under section 8 of the Investment Company Act.\n\n\n\n                                                17\n\x0c                                                                                       APPENDIX II\n\n                              Requires issuers to disclose in annual reports whether\n                              they have adopted a code of ethics that applies to the\n      Code of ethics for\n                              company's principal executive officer, principal financial    Public\n406   senior financial\n                              officer, principal accounting officer or controller, or       Company\n      officers\n                              persons performing similar functions and, if not, the\n                              reasons why.\n      Disclosure of audit     Requires companies to disclose whether the audit\n                                                                                            Public\n407   committee financial     committee includes at least one financial expert and, if\n                                                                                            Company\n      expert                  not, the reason.\n                              Requires the SEC to review disclosures, reports, and\n                              financial statements of issuers on a regular and\n                              systematic basis; and, at a minimum, at least once every\n                              3 years. In scheduling reviews, the SEC must consider\n                              issuers that\n      Enhanced review of      \xe2\x80\xa2 have issued material restatements of financial results,\n408   periodic disclosures                                                                  SEC\n                              \xe2\x80\xa2 experience significant stock price volatility,\n      by issuers\n                              \xe2\x80\xa2 have the largest market capitalization,\n                              \xe2\x80\xa2 are emerging companies with disparities in price to\n                                 earnings ratios, or\n                              \xe2\x80\xa2 have operations that significantly affect any material\n                                 sector of the economy.\n                              Issuers of securities registered under section 13(a) or\n                              15(d) of the Securities Exchange Act of 1934 are\n      Real-time issuer                                                                      Public\n409                           required to make public disclosure, on a rapid and\n      disclosures                                                                           Company\n                              current basis, of information concerning the issuer\xe2\x80\x99s\n                              financial condition and operations, in plain English.\n\n                             Title V \xe2\x80\x93 Analyst Conflicts of Interest\n                              The SEC was required to adopt rules designed to address\n                              analyst conflicts of interest and improve the objectivity\n                              of their research, including a requirement that brokers or\n                              dealers or their employees may not retaliate against\n                              securities analysts for negative reports that may\n                              adversely affect the present or prospective investment\n      Treatment of\n                              banking relationship of the broker or dealer. SEC\n      securities analysts\n                              Regulation Analyst Certification (AC) requires that\n      by registered\n                              brokers, dealers, and certain persons associated with a       SEC and\n501   securities\n                              broker or dealer include in research reports certifications   Exchanges\n      associations and\n                              by the research analyst that the views expressed in the\n      national securities\n      exchanges               report accurately reflect the analyst\xe2\x80\x99s personal views,\n                              and disclose whether or not the analyst received\n                              compensation or other payments in connection with\n                              specific recommendations or views. Broker-dealers are\n                              also required to obtain periodic certifications by research\n                              analysts in connection with the analysts\xe2\x80\x99 public\n                              appearances.\n\n\n\n\n                                                18\n\x0c                                                                                     APPENDIX II\n\n\n\n                    Title VI \xe2\x80\x93 Commission Resources and Authority\n      Authorization of\n601                         Authorizes funding for the SEC.                               SEC\n      appropriations\n                            The SEC can censure any person or deny any person the\n      Appearance and        privilege of appearing or practicing before the SEC if the\n602   practice before the   person is not qualified to represent others, engages in       SEC\n      commission            improper professional conduct or willfully violated the\n                            securities laws.\n      Federal court\n                            Courts may prohibit anyone from offering penny stock          Federal\n603   authority to impose\n                            under certain conditions.                                     Courts\n      penny stock bars\n      Qualifications of\n                                                                                          SEC, and\n      associated persons    This section enhances the qualifications of associated\n604                                                                                       Brokers and\n      of brokers and        persons of brokers and dealers.\n                                                                                          Dealers\n      dealers\n\n                             Title VII \xe2\x80\x93 Studies and Reports\n                            GAO is to conduct a study to identify\n                            \xe2\x80\xa2 the factors leading to consolidation of public\n                              accounting firms since 1989 and the consequent\n                              reduction of the number of firms capable of providing\n                              audit services to large national and multi-national\n                              business organizations that are subject to the securities\n                              laws;\n                            \xe2\x80\xa2 the present and future impact of this consolidation on\n                              capital formation and securities markets;\n      GAO study and         \xe2\x80\xa2 solutions to problems identified, including ways to\n      report regarding        increase competition;\n701   consolidation of      \xe2\x80\xa2 problems faced by business organizations, resulting         GAO\n      public accounting       from limited competition among public accounting\n      firms                   firms; and\n                            \xe2\x80\xa2 whether federal or state regulations impede that\n                              competition.\n\n                            The GAO is to consult with the SEC, the regulatory\n                            agencies that perform functions similar to the SEC in the\n                            Group of Seven Industrialized Nations member\n                            countries, the Department of Justice, and any other\n                            public or private sector organization the Comptroller\n                            deems appropriate, and to report the results to Congress.\n\n\n\n\n                                              19\n\x0c                                                                                        APPENDIX II\n\n                            The SEC is to study and report to Congress the role and\n                            function of credit rating agencies in the operation of the\n                            securities market, examining\n                            \xe2\x80\xa2 their role in the evaluation of issuers;\n                            \xe2\x80\xa2 their importance to investors and the markets;\n      Commission study\n      and report            \xe2\x80\xa2 impediments to the accurate appraisal of the financial\n702                            resources and risks of issuers;                            SEC\n      regarding credit\n      rating agencies       \xe2\x80\xa2 any barriers to entry into the business of credit rating\n                               agencies;\n                            \xe2\x80\xa2 measures needed to improve dissemination of\n                               information when credit rating agencies announce\n                               credit ratings; and\n                            \xe2\x80\xa2 conflicts of interest and ways to mitigate them.\n                            The SEC is to study and report to Congress information\n                            for the period January 1, 1998, to December 31, 2001, to\n      Study and report on\n                            determine the number of securities professionals\n703   violators and                                                                       SEC\n                            (accountants, investment bankers, brokers, dealers, and\n      violations\n                            attorneys) found to have violated or assisted in the\n                            violation of securities laws.\n                            The SEC is to review and analyze its enforcement\n      Study of              actions over the past 5 years and identify areas of\n704   enforcement           reporting that are most susceptible to fraud and              SEC\n      actions               inappropriate earnings management and report the\n                            results to Congress.\n                            The GAO is to study whether investment banks and\n                            financial advisers have assisted public companies in\n                            manipulating their earnings and obfuscating their true\n      Study of\n705                         financial condition. The GAO is to specifically address       GAO\n      investment banks\n                            the role of these entities in the collapse of Enron, Global\n                            Crossing, and general marketing transactions and report\n                            the results to Congress.\n\n              Title VIII \xe2\x80\x93 Corporate and Criminal Fraud Accountability\n                            Corporate and Criminal Fraud Accountability Act of\n801   Short title                                                                         --\n                            2002\n                            It is a federal crime punishable by fine and/or\n                            imprisonment up to 20 years for anyone to knowingly\n                            alter, destroy, mutilate, hide or falsify any document or     Courts and\n                            tangible object with intent to impede or influence the        Law\n                                                                                          Enforcement\n                            investigation or proper administration of any agency or\n      Criminal penalties    in any bankruptcy case.\n802   for altering\n      documents             Accountants who audit an issuer are to maintain all audit\n                            or review workpapers for 5 years from the end of the\n                            fiscal period in which the audit or review was concluded.     External\n                            The SEC later issued a final rule increasing the retention    Auditors\n                            period to 7 years. Violations are punishable by fine\n                            and/or imprisonment of up to 10 years.\n\n\n\n\n                                               20\n\x0c                                                                                       APPENDIX II\n\n      Debts\n      nondischargeable if     Debts arising under a claim relating to securities law\n                                                                                            Courts and\n      incurred in             violations or common law fraud in connection with a\n803                                                                                         Law\n      violation of            securities transaction cannot be discharged in\n                                                                                            Enforcement\n      securities fraud        bankruptcy.\n      laws\n                              A private right of action involving fraud, deceit,\n      Statute of              manipulation, or contrivance involving the securities         Courts and\n804   limitations for         laws may be brought not later than the earlier of: 2 years    Law\n      securities fraud        after the discovery of facts constituting the violation or    Enforcement\n                              5 years after the violation.\n      Review of federal\n      sentencing              The United States Sentencing Commission (USSC) is to\n      guidelines for          review and amend the Federal Sentencing Guidelines\n805   obstruction of          and policy statements to ensure they are sufficient to        USSC\n      justice and             deter and punish cases involving document destruction,\n      extensive criminal      financial fraud, and organized crime.\n      fraud\n      Protection for          Provides whistle-blower protection for employees who\n      employees of            report securities laws violations by their employers. An\n                                                                                            Courts and\n      publicly traded         employee proven to have been discriminated against by\n806                                                                                         Public\n      companies who           the employer is entitled to compensatory damages,\n                                                                                            Company\n      provide evidence of     including reinstatement, back pay with interest, and\n      fraud                   special damages.\n      Criminal penalties      Whoever knowingly executes or attempts to execute a\n      for defrauding          scheme to defraud a person in connection with a security      Courts and\n807   shareholders of         or obtains by false pretenses money or property in            Law\n      publicly traded         connection with a securities transaction could be fined       Enforcement\n      companies               and/or imprisoned up to 25 years.\n\n                 Title IX \xe2\x80\x93 White Collar Crime Penalty Enhancements\n901   Short title             White-Collar Crime Penalty Enhancement Act of 2002.           --\n      Attempts and            It is a federal crime for any person to attempt or conspire\n                                                                                            Courts and\n      conspiracies to         to commit any offense under chapter 63 of\n902                                                                                         Law\n      commit criminal         Title 18 U.S.C. and is punishable by fine and/or\n                                                                                            Enforcement\n      fraud offenses          imprisonment to the same extent as the actual offense.\n      Criminal penalties                                                                    Courts and\n                              Maximum imprisonment for mail and wire fraud is\n903   for mail and wire                                                                     Law\n                              increased from 5 years to 20 years.\n      fraud                                                                                 Enforcement\n      Criminal penalties\n      for violations of the\n                                                                                            Courts and\n      Employee\n904                           This section increases the penalties for violating ERISA.     Public\n      Retirement Income\n                                                                                            Company\n      Security Act\n      (ERISA) of 1974\n      Amendment to\n      sentencing              The USSC is to review and, if appropriate, amend the\n905   guidelines relating     Federal Sentencing Guidelines and policy statements to        USSC\n      to certain white        implement this Act.\n      collar offenses\n\n\n                                                21\n\x0c                                                                                          APPENDIX II\n\n                                 Financial statements are to include a written statement\n                                 by the CEO and CFO, or equivalent, certifying that the\n          Corporate\n                                 financial statements fairly present, in all material          Public\n 906      responsibility for\n                                 respects, the issuer\xe2\x80\x99s operations and financial condition.    Company\n          financial reports\n                                 Violations are punishable by fines of up to $5 million\n                                 and/or imprisonment of up to 20 years.\n\n                                 Title X \xe2\x80\x93 Corporate Tax Returns\n          Sense of the Senate\n          regarding the        It is the sense of the Senate that federal income tax\n 1001     signing of corporate returns of a corporation should be signed by the                --\n          tax returns by       corporation\xe2\x80\x99s chief executive officer.\n          CEOs\n\n                         Title XI \xe2\x80\x93 Corporate Fraud and Accountability\n 1101     Short Title           Corporate Fraud Accountability Act of 2002                     --\n          Tampering with a\n                                It a crime for anyone to alter, destroy, mutilate, or hide a\n          record or                                                                            Courts and\n                                record or object with intent to impair its integrity or\n 1102     otherwise                                                                            Law\n                                impede any official proceeding. Violations are\n          impeding an                                                                          Enforcement\n                                punishable by fine and/or imprisonment of up to 20 years.\n          official proceeding\n          Temporary freeze\n          authority for the     The SEC has the authority to temporarily freeze the funds\n 1103     Securities and        of an issuer it believes may have violated federal             SEC\n          Exchange              securities laws.\n          Commission\n                                The USSC is to review sentencing guidelines applicable\n          Amendment to the      to securities and accounting fraud, consider enhancing\n 1104     federal sentencing    those applicable to officers and directors of publicly         USSC\n          guidelines            traded companies, and report the findings and\n                                recommendations to Congress.\n                                The SEC has the authority to prohibit, permanently or\n                                temporarily, anyone who has violated section 10(b)\n          Authority of the\n                                (insider trading restrictions) of the Securities Exchange\n          SEC to prohibit\n                                Act from acting as an officer or director of any issuer with\n 1105     persons from                                                                         SEC\n                                securities registered under section 12 of the Act or that is\n          serving as officers\n                                required to file reports under section 15(d) of the Act, if\n          and directors\n                                that person\xe2\x80\x99s conduct demonstrates unfitness to serve as\n                                an officer or director.\n          Increased criminal    Penalties for willful violation are increased from fines of\n          penalties under       $1 million and/or imprisonment of up to 10 years to            Courts and\n 1106     Securities            $5 million and 20 years, respectively, for natural persons     Law\n          Exchange Act of       (individuals), and up to $25 million in fines for other than   Enforcement\n          1934                  natural persons (business entities).\n                                Anyone who knowingly with intent to retaliate takes an\n                                                                                               Courts and\n          Retaliation against   action to harm anyone who provides information to law\n 1107                                                                                          Law\n          informants            enforcement officials regarding a Federal offense may be\n                                                                                               Enforcement\n                                fined and/or imprisoned up to 10 years.\nSource: FDIC Legal Division and OIG analysis.\n\n\n\n\n                                                    22\n\x0c                                                                                   APPENDIX III\n\n\n                   GUIDANCE ISSUED BY THE FDIC IMPLEMENTING\n                     PROVISIONS OF THE SARBANES-OXLEY ACT\n\n\n            Section                    Financial Institution Guidance         Examiner Guidance\n                      Sections Added to the Securities Exchange Act of 1934\n                                                                              \xe2\x80\xa2 Regional Directors\n\xe2\x80\xa2 10A(m) \xe2\x80\x93 Standards Relating to                                                Memorandum\n  Audit Committees                  \xe2\x80\xa2 FDIC limited-distribution* FIL,           2003-027, July 9,\n\xe2\x80\xa2 13(i) \xe2\x80\x93 Accuracy of Financial       August 13, 2002, Financial Statement      2003, Corporate\n  Reports                             Certification and Beneficial              Governance, Audits,\n\xe2\x80\xa2 13(j) \xe2\x80\x93 Off-Balance Sheet           Ownership Filing Requirements of the      and Reporting\n  Transactions                        Sarbanes-Oxley Act of 2002                Requirements\n\xe2\x80\xa2 13(k) \xe2\x80\x93 Prohibition on Personal   \xe2\x80\xa2 FIL-17-2003, March 5, 2003,             \xe2\x80\xa2 RD Memorandum\n  Loans to Executives                 Corporate Governance, Audits, and         2004-021,\n\xe2\x80\xa2 13(l) \xe2\x80\x93 Real Time Issuer            Reporting Requirements                    May 14, 2004,\n  Disclosures                                                                   Revised Examination\n                                                                                Modules\n\n                   Sections Amended in the Securities Exchange Act of 1934\n                                    \xe2\x80\xa2 Limited-distribution* FIL, August 13,\n\xe2\x80\xa2 12(i) \xe2\x80\x93 Conforming\n                                      2002, Financial Statement\n  Amendment [defines section\n                                      Certification and Beneficial\n  numbering change in the\n                                      Ownership Filing Requirements of the\n  Exchange Act]                                                               \xe2\x80\xa2 Not Applicable\n                                      Sarbanes-Oxley Act of 2002\n\xe2\x80\xa2 13(b)(2) \xe2\x80\x93 Conforming\n                                    \xe2\x80\xa2 FIL-17-2003, March 5, 2003,\n  Amendment [adds new\n                                      Corporate Governance, Audits, and\n  language to the Exchange Act]\n                                      Reporting Requirements\n                                    \xe2\x80\xa2 Limited-distribution* FIL, August 13,\n                                      2002, Financial Statement\n                                      Certification and Beneficial\n                                      Ownership Filing Requirements of the\n                                      Sarbanes-Oxley Act of 2002\n                                    \xe2\x80\xa2 FIL-60-2003, July 28, 2003, Federal\n\xe2\x80\xa2 16(a) \xe2\x80\x93 [Beneficial Ownership]      Banking Agencies Announce New           \xe2\x80\xa2 Not Applicable\n  Disclosures Required                Interagency Electronic Filing System\n                                      for Beneficial Ownership Reports\n                                    \xe2\x80\xa2 FIL-41-2004, April 15, 2004,\n                                      Mandatory Electronic Filing of\n                                      Beneficial Ownership Reports by\n                                      Insiders of FDIC-Supervised\n                                      Registered Banks\n\n\n\n\n                                                  23\n\x0c                                                                                       APPENDIX III\n\n\n\n              Section                      Financial Institution Guidance         Examiner Guidance\n                           New Sections in the Sarbanes-Oxley Act of 2002\n\xe2\x80\xa2 302 \xe2\x80\x93 Corporate Responsibility\n  for Financial Reports                 \xe2\x80\xa2 Limited-distribution* FIL, August 13,\n\xe2\x80\xa2 303 \xe2\x80\x93 Improper Influence on             2002, Financial Statement\n  Conduct of Audits                       Certification and Beneficial            \xe2\x80\xa2 RD Memorandum\n\xe2\x80\xa2 304 \xe2\x80\x93 Forfeiture of Certain             Ownership Filing Requirements of the      2003-027, July 9,\n  Bonuses and Profits                     Sarbanes-Oxley Act of 2002                2003, Corporate\n\xe2\x80\xa2 306 \xe2\x80\x93 Insider Trades During           \xe2\x80\xa2 FIL-17-2003, March 5, 2003,               Governance, Audits,\n  Pension Fund Blackout Periods           Corporate Governance, Audits, and         and Reporting\n\xe2\x80\xa2 401(b) \xe2\x80\x93 Commission Rules on            Reporting Requirements                    Requirements\n  Pro Forma Figures                     \xe2\x80\xa2 FIL-66-2003, August 18, 2003, Rules     \xe2\x80\xa2 RD Memorandum\n\xe2\x80\xa2 404 \xe2\x80\x93 Management                        of Practice for the Removal,              2004-021,\n  Assessment of Internal                  Suspension, and Debarment of              May 14, 2004,\n  Controls                                Accountants and Accounting Firms          Revised Examination\n\xe2\x80\xa2 406 \xe2\x80\x93 Code of Ethics for              \xe2\x80\xa2 Limited-distribution* FIL, August 9,      Modules\n  Senior Financial Officers               2004, Recent SEC Developments and\n\xe2\x80\xa2 407 \xe2\x80\x93 Disclosure of Audit               Changes in Filing Requirements\n  Committee Financial Expert\nSource: OIG analysis.\n* Distributed only to FDIC-supervised registrants.\n\n\n\n\n                                                      24\n\x0c                                                                                            APPENDIX IV\n\n\n                      SUMMARY OF SARBANES-OXLEY ACT RELATED\n                          FINANCIAL INSTITUTION LETTERS\n    FIL         DATED             SUBJECT                                  SUMMARY\n                             Financial Statement     The FDIC explained its expectations with respect to\n                             Certification and       sections 302 and 906 of the Sarbanes-Oxley Act that\nLimited                      Beneficial Ownership    require written certifications to accompany periodic\n                 08/13/02\nDistribution*                Filing Requirements     reports containing financial statements required by\n                             of the Sarbanes-Oxley   sections 13(a) or 15(d) of the Securities Exchange Act of\n                             Act of 2002             1934.\n                                                     The federal banking agencies have revised their 1997\n                             Interagency Policy\n                                                     internal audit policy statement to update guidance (in light\n                             Statement on the\n                                                     of the Sarbanes-Oxley Act) on the independence of an\nFIL-21-2003      03/17/03    Internal Audit\n                                                     accountant who provides both external audit and internal\n                             Function and Its\n                                                     audit services to an institution. Other parts of the 1997\n                             Outsourcing\n                                                     policy statement also have been revised.\n                             Federal Banking         Directors, officers, and principal shareholders of\n                             Agencies Announce       institutions whose equity securities are registered with the\n                             New Interagency         FDIC, the FRB, and the OCC were encouraged to use a\nFIL-60-2003      07/28/03\n                             Electronic Filing       new interagency electronic filing system, as required by\n                             System for Beneficial   the Sarbanes-Oxley Act, to submit their beneficial\n                             Ownership Reports       ownership reports to the agencies beginning July 30, 2003.\n                                                     The banking and thrift regulatory agencies have issued\n                             Rules of Practice for   final rules governing their authority to take disciplinary\n                             the Removal,            actions against independent public accountants and\n                             Suspension, and         accounting firms that perform audit and attestation\nFIL-66-2003      08/18/03\n                             Debarment of            services required by section 36 of the FDI Act. Section 36\n                             Accountants and         final rules for disciplinary actions address violations by\n                             Accounting Firms        accountants of certain provisions of the Sarbanes-Oxley\n                                                     Act of 2002.\n                                                     The FDIC explained the disclosure requirements for off-\n                             Recently Required       balance sheet arrangements, which was added by section\n                             Financial Reporting     401(a) of the Sarbanes-Oxley Act. The changes effective\nLimited\n                 02/13/04    Disclosures for         for financial institution registrants with respect to\nDistribution*\n                             Publicly Reporting      Management\xe2\x80\x99s Discussion and Analysis of Financial\n                             Banks                   Condition and Results of Operations (MD&A) were also\n                                                     explained.\n                                                     The FDIC issued an interim final rule amending Part 335\n                             Mandatory Electronic\n                                                     of its regulations to require electronic filing of beneficial\n                             Filing of Beneficial\n                                                     ownership reports by directors, executive officers, and\n                             Ownership Reports by\nFIL-41-2004      04/15/04                            principal shareholders of banks with equity securities\n                             Insiders of FDIC-\n                                                     registered with the FDIC under the federal securities laws.\n                             Supervised Registered\n                                                     This rule, which took effect June 11, 2004, implemented\n                             Banks\n                                                     certain requirements of the Sarbanes-Oxley Act of 2002.\n                                                     The FDIC informed financial institutions about several\n                             Recent SEC\n                                                     important SEC and PCAOB reporting changes. The FIL\nLimited                      Developments and\n                 08/09/04                            also addresses the latest amendments to rules regarding\nDistribution*                Changes in Filing\n                                                     implementation of sections 302, 404, 409, and 906 of the\n                             Requirements\n                                                     Sarbanes-Oxley Act.\nSource: OIG Analysis.\n* Distributed only to FDIC-supervised registrants.\n\n\n\n\n                                                     25\n\x0c                       APPENDIX V\n\n\n\nCORPORATION COMMENTS\n\x0c"